Insights

Cracking Passwords

Author:

Richard Mason

Many predictions have been made that passwords will become obsolete. While this may happen in the future, passwords are still very much in use today and are not going away soon. 

Passwords represent one of the three main factors of authentication – “Something you know” – and provide ‘reasonable’ assurance that a user is who they claim to be when accessing an application or service.  

Unfortunately, as the number of applications and services an average person subscribes to continues to grow, so does the number of passwords they need to remember. This often leads to poor password practices among users, increasing their risk of compromise. However, even those who adopt strong password habits may still be at risk, as their passwords can be compromised by skilled attackers.  

In this insight, we explore some of the basic techniques used in penetration testing, and by hackers, to try to access a password hash, allowing them to reveal the corresponding plaintext value and compromise accounts. 

A bit of background to hashes and password storage 

Before we dive in, it’s important to understand what hashes are.  

A hash is a one-way function that converts an input of arbitrary length into a fixed-length value, which is intended to be unique to that input. However, it’s worth noting that collisions – instances where different inputs produce the same hash – can and do occur. Since this process is one-way, there’s no way to reverse it and retrieve the original input.  

For example, if we take the input “password” and process it through the MD5 hashing algorithm, we receive the hash “5f4dcc3b5aa765d61d8327deb882cf99.” If we use the input “pa55word” with the same algorithm, the result is “a17a41337551d6542fd005e18b43afd4.”

Despite the two inputs being quite similar, the resulting hash values are dramatically different. It is common practice, and highly recommended, to store passwords in their hashed formats. Although some systems still store passwords in clear text, using a hash adds an important layer of security, particularly in the event of a database leak.  

Additionally, it’s advisable to use more secure hashing algorithms than MD5, which we will discuss later. 

How could an attacker/tester obtain password hashes 

There are various ways in which we find password hashes during client engagements but here are a few common ones:  

  • A web application/API may return password hashes in responses
  • SQL injection vulnerabilities often lead to password hashes being disclosed
  • Finding password hashes in unsecured files
  • Intercepting password hashes in transit  

In most cases, an attacker would need to have already found and exploited a vulnerability to discover password hashes but once that has been done, they can attempt to “crack the hash” which will give them further access, by escalating their privileges and/or performing lateral movement across the application/network. 

Cracking the Hash 

With access to a hash, an attacker/tester can now attempt to discover the original input and there are several ways they can go about this. 

1. Hash Cracking Tools 

Attackers/Testers can try to discover the original input through an offline brute-force attack. In this approach, the attacker systematically guesses potential passwords, hashes them, and then compares the resulting hashes to the original. This method differs from an online brute-force attack, where the attacker repeatedly attempts to log into an application or service by submitting credentials directly. 

Several tools are commonly used to crack hashes, with Hashcat and John the Ripper being two of the most popular. 

Essentially, these tools take a password candidate, hash it, and then compare the resulting hash to the one provided. If the hashes match, the original input has been successfully “cracked.”  

Choosing between these tools often comes down to personal preference; each has its own advantages and disadvantages, which we will not discuss here.  

The effectiveness of an attacker in this scenario relies on the quality of the password candidates fed into the tool. This insight will explore various strategies that attackers can use to create inputs capable of discovering passwords that might initially seem strong. 

2. Brute Force Attack 

To understand a brute force attack, we first need to discuss the concept of keyspace. 

Keyspace refers to the total number of possible combinations for passwords; the larger the keyspace, the more attempts our hash-cracking tool will need to make in order to crack the hash successfully. In the context of offline brute force attacks, an attacker may test all 95 printable ASCII characters (which include lowercase letters a-z, uppercase letters A-Z, digits 0-9, and various special characters) in each character position. This emphasises why the length of a password has become more critical than its complexity. 

Let’s look at some calculations to illustrate this:  

If we have a password that is 5 characters long, created using any of the 95 printable ASCII characters in each position, the total keyspace is calculated as 95 raised to the power of 5 (95^5). This results in a keyspace of 7,737,809,375.  

In contrast, if we have a 6-character password using only uppercase and lowercase alphanumeric characters (a total of 62 possible characters), the keyspace is calculated as 62 raised to the power of 6 (62^6). This gives us a total keyspace of 56,800,235,584.  

This means that the keyspace for a 6-character password is 49,062,426,209 combinations larger than that for a 5-character password, despite the former not utilising special characters. Although the mentioned tools can perform an extremely high number of computations per second, attempting a brute force attack on longer passwords becomes increasingly time-consuming and computationally infeasible. 

3. Dictionary Attacks and Rules 

A more practical method for attacking longer passwords is known as a dictionary attack, or wordlist attack. This type of attack uses a text file, referred to as the dictionary, to compare the hashed version of various password candidates against a hash that the attacker has captured. Dictionary attacks exploit the tendency of people to use common and easily memorable words as their passwords. For this type of attack to be successful, the dictionary must be quite extensive to have a decent chance of cracking the password; however, large dictionaries do exist. One well-known example is the “rockyou2024” dictionary, which contains nearly 10 billion passwords compiled from various data breaches.  

While a dictionary attack is a solid starting point, organisations often require users to create passwords with a certain level of complexity. As a result, there is a chance that a given password will not be found in a standard dictionary. This is where rules come into play. For instance, if a user starts with the password “password,” and their organization mandates that passwords must contain both uppercase and lowercase letters, numbers, and special characters, the user might modify their password to something like “Password123!” or “Pa5sw0rd!”. A dictionary would need to be extensive to include every variation of the word “password,” as well as other commonly used words and their variations.  

To address this challenge, rules allow an attacker to generate mutations of passwords within the dictionary. This enables the attacker to test variations that include changes in capitalisation, common substitutions, suffix additions (such as adding “123!” to the end of a candidate), and other transformations. These methods significantly increase the likelihood of successfully cracking a hash without the need to create unwieldy, larger dictionaries. 

4. Keyboard Walking 

Keyboard walking is a very common method for creating passwords. This technique involves selecting one key and then pressing an adjacent key repeatedly. Some of the most well-known passwords generated using this method are “qwerty” and “123456.” While these passwords are easy to guess, it is possible to create more complex ones through keyboard walking by following different patterns on the keyboard and occasionally using the Shift key to include special characters or capital letters. For example, “Dr5tgY&uji(o” appears to be a strong, randomly generated password, but it was created by following a zigzag pattern up and down the keyboard.  

There are many tools and scripts available that can help attackers generate word lists based on this principle. One reliable tool that offers a high level of customisation for word list creation is KWProcessor. 

5. Custom Wordlist Generation 

As you’ve likely figured out at this point, an attacker’s effectiveness with offline brute force attacks heavily relies on the quality of their wordlist. This is why creating custom wordlists can be incredibly beneficial.  

One popular tool for this purpose is CeWL (Custom Word List generator). CeWL is a web scraping tool that crawls websites and extracts words to build a tailored wordlist. Attackers use CeWL to generate more relevant password lists based on publicly available information from a target organisation, such as employee names, product names, industry jargon, or commonly used terms. 

6. Attacking Passphrases 

Current password recommendations suggest using passphrases instead of traditional passwords. This is where combinator attacks come into play.  

In a combinator attack, an attacker combines multiple dictionaries to generate more complex password candidates. Unlike a dictionary attack, which tests single words, a combinator attack merges words from two or more dictionaries in various ways to guess more complex passwords.  
 
For example, if the first dictionary contains the words:  
– a  
– b  
 
And the second dictionary contains the numbers:  
– 1  
– 2  
 
The password candidates generated by a combinator attack would be:  
– a1  
– a2  
– b1  
– b2 

7. Advanced Attacks 

Advanced attacks involve additional methods that can be employed once other attack types have been exhausted. These methods generate more password candidates, which are often effective. Such attacks include Fingerprint and PRINCE attacks. 

Our Recommendations 

First and foremost, password hashes should never be sent or displayed within applications. As previously discussed, displaying or transmitting password hashes insecurely exposes users to the risk of their credentials being compromised.  

User passwords must be stored securely, which means they should never be saved in plaintext. A secure hashing algorithm, which is computationally intensive, should be employed. This kind of algorithm requires a significant amount of time to compute each hash, making brute force attacks less effective in the event of a data breach. Additionally, a salt – a random, unique value (often 32 bits) – should be added to each password before hashing. This practice prevents attackers from using precomputed hash tables to crack passwords.  

Recommended secure hashing algorithms include: 
– Argon2id 
– SCrypt  
– PBKDF2  

In accordance with current NIST guidelines, users should avoid overly complicated passwords. Rather than enforcing arbitrary complexity requirements, NIST now recommends encouraging users to create longer, easier-to-remember passphrases made up of common words that are still difficult to guess.  

Moreover, to prevent users from selecting common passwords, organisations should check submitted passwords against breached password databases, such as Have I Been Pwned. This approach helps to avoid the use of easily guessable passwords and provides an extra layer of security by flagging already compromised passwords.  

Users should also be encouraged to use password managers to securely store and generate complex, unique passwords for each account. This practice reduces the likelihood of password reuse, which is a common vulnerability. However, it is important to allow users to copy and paste passwords into the relevant fields on login forms, especially when the password manager cannot automatically fill them in.  

Finally, organisations should consider implementing Multi-Factor Authentication (MFA). While not mandatory for all users, it should be required for accounts with access to sensitive data. MFA adds an additional layer of protection by requiring users to provide another form of authentication, such as “something you have” or “something you are.” Even if an attacker manages to compromise a user’s password, they will still need access to the second factor to gain entry to the user’s account. 

Putting authentication to the test 

Concerned about the authentication of your applications or infrastructure? Our manual penetration testing services are designed to review authentication configuration (as well as many other areas) to ensure the environments under investigation are as secure as possible when it comes to the attacks outlined in this piece.  

For more details about our services and how they can provide the security assurances you need, get in touch with one of team to find out more. 

The latest Pentest research and insights

Looking for more than just a test provider?

Get in touch with our team and find out how our tailored services can provide you with the cybersecurity confidence you need.

Contact us today >
Pentest-CREST-Accreditation
Pentest ISO 9001 Accreditation
Pentest ISO 27001 Accreditation
Pentest - Cyber Essentials Plus Accreditation
Pentest - OSCP Accreditation
Pentest-CRTO-Accreditation

/contact Us

/connect

X-twitter Linkedin-in Github Youtube

/services

/about

/links

Pentest Limited is registered in England and Wales with company number 11925182

Registered address: 22 Great James Street, London, WC1N 3ES

VAT registration No: 331802826​

© 2019 - Present. Pentest Limited. All rights reserved.

  • A Shearwater Group plc Company